MFC r271545, 271610:

Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and net.inet.ip.process_options vnet-aware.
author: hrs <hrs@FreeBSD.org> 2014-10-09 23:45:26 +0000
committer: hrs <hrs@FreeBSD.org> 2014-10-09 23:45:26 +0000
commit: 39888f6b5683e6235630591e201a13f93bea00fd (patch)
tree: fef0759202326ff4a2021a76dc14fa6fbec34ae8
parent: ff5a508f691a24ad099c53293d4c25fb81498f19 (diff)
download: FreeBSD-src-39888f6b5683e6235630591e201a13f93bea00fd.zip
FreeBSD-src-39888f6b5683e6235630591e201a13f93bea00fd.tar.gz
4 files changed, 38 insertions, 18 deletions
diff --git a/etc/rc.subr b/etc/rc.subr
index ff4e898..97b631f 100644
--- a/etc/rc.subr
+++ b/etc/rc.subr
@@ -1966,6 +1966,22 @@ check_required_after()
 	return 0
 }
 
+# check_jail mib
+#	Return true if security.jail.$mib exists and set to 1.
+
+check_jail()
+{
+	local _mib _v
+
+	_mib=$1
+	if _v=$(${SYSCTL_N} "security.jail.$_mib" 2> /dev/null); then
+		case $_v in
+		1)	return 0;;
+		esac
+	fi
+	return 1
+}
+
 # check_kern_features mib
 #	Return existence of kern.features.* sysctl MIB as true or
 #	false.  The result will be cached in $_rc_cache_kern_features_
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index c5405d5..0772cf0 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -297,9 +297,9 @@ ip_fastforward(struct mbuf *m)
 	 * Only IP packets without options
 	 */
 	if (ip->ip_hl != (sizeof(struct ip) >> 2)) {
-		if (ip_doopts == 1)
+		if (V_ip_doopts == 1)
 			return m;
-		else if (ip_doopts == 2) {
+		else if (V_ip_doopts == 2) {
 			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_FILTER_PROHIB,
 				0, 0);
 			return NULL;	/* mbuf already free'd */
diff --git a/sys/netinet/ip_options.c b/sys/netinet/ip_options.c
index 8911992..e017afe 100644
--- a/sys/netinet/ip_options.c
+++ b/sys/netinet/ip_options.c
@@ -65,18 +65,21 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/socketvar.h>
 
-static int	ip_dosourceroute = 0;
-SYSCTL_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
-    &ip_dosourceroute, 0, "Enable forwarding source routed IP packets");
-
-static int	ip_acceptsourceroute = 0;
-SYSCTL_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute, 
-    CTLFLAG_RW, &ip_acceptsourceroute, 0, 
+static VNET_DEFINE(int, ip_dosourceroute);
+SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SOURCEROUTE, sourceroute, CTLFLAG_RW,
+    &VNET_NAME(ip_dosourceroute), 0,
+    "Enable forwarding source routed IP packets");
+#define	V_ip_dosourceroute	VNET(ip_dosourceroute)
+
+static VNET_DEFINE(int,	ip_acceptsourceroute);
+SYSCTL_VNET_INT(_net_inet_ip, IPCTL_ACCEPTSOURCEROUTE, accept_sourceroute, 
+    CTLFLAG_RW, &VNET_NAME(ip_acceptsourceroute), 0, 
     "Enable accepting source routed IP packets");
+#define	V_ip_acceptsourceroute	VNET(ip_acceptsourceroute)
 
-int		ip_doopts = 1;	/* 0 = ignore, 1 = process, 2 = reject */
-SYSCTL_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
-    &ip_doopts, 0, "Enable IP options processing ([LS]SRR, RR, TS)");
+VNET_DEFINE(int, ip_doopts) = 1; /* 0 = ignore, 1 = process, 2 = reject */
+SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, process_options, CTLFLAG_RW,
+    &VNET_NAME(ip_doopts), 0, "Enable IP options processing ([LS]SRR, RR, TS)");
 
 static void	save_rte(struct mbuf *m, u_char *, struct in_addr);
 
@@ -104,9 +107,9 @@ ip_dooptions(struct mbuf *m, int pass)
 	struct	sockaddr_in ipaddr = { sizeof(ipaddr), AF_INET };
 
 	/* Ignore or reject packets with IP options. */
-	if (ip_doopts == 0)
+	if (V_ip_doopts == 0)
 		return 0;
-	else if (ip_doopts == 2) {
+	else if (V_ip_doopts == 2) {
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_FILTER_PROHIB;
 		goto bad;
@@ -167,7 +170,7 @@ ip_dooptions(struct mbuf *m, int pass)
 					code = ICMP_UNREACH_SRCFAIL;
 					goto bad;
 				}
-				if (!ip_dosourceroute)
+				if (!V_ip_dosourceroute)
 					goto nosourcerouting;
 				/*
 				 * Loose routing, and not at next destination
@@ -180,7 +183,7 @@ ip_dooptions(struct mbuf *m, int pass)
 				/*
 				 * End of source route.  Should be for us.
 				 */
-				if (!ip_acceptsourceroute)
+				if (!V_ip_acceptsourceroute)
 					goto nosourcerouting;
 				save_rte(m, cp, ip->ip_src);
 				break;
@@ -189,7 +192,7 @@ ip_dooptions(struct mbuf *m, int pass)
 			if (V_ipstealth)
 				goto dropit;
 #endif
-			if (!ip_dosourceroute) {
+			if (!V_ip_dosourceroute) {
 				if (V_ipforwarding) {
 					char buf[16]; /* aaa.bbb.ccc.ddd\0 */
 					/*
diff --git a/sys/netinet/ip_options.h b/sys/netinet/ip_options.h
index 7cb447e..4a6ea42 100644
--- a/sys/netinet/ip_options.h
+++ b/sys/netinet/ip_options.h
@@ -47,7 +47,8 @@ struct ipopt_tag {
 	struct	ipoptrt ip_srcrt;
 };
 
-extern	int	ip_doopts;		/* process or ignore IP options */
+VNET_DECLARE(int, ip_doopts);		/* process or ignore IP options */
+#define	V_ip_doopts	VNET(ip_doopts)
 
 int		 ip_checkrouteralert(struct mbuf *);
 int		 ip_dooptions(struct mbuf *, int);
author	hrs <hrs@FreeBSD.org>	2014-10-09 23:45:26 +0000
committer	hrs <hrs@FreeBSD.org>	2014-10-09 23:45:26 +0000
commit	39888f6b5683e6235630591e201a13f93bea00fd (patch)
tree	fef0759202326ff4a2021a76dc14fa6fbec34ae8
parent	ff5a508f691a24ad099c53293d4c25fb81498f19 (diff)
download	FreeBSD-src-39888f6b5683e6235630591e201a13f93bea00fd.zip FreeBSD-src-39888f6b5683e6235630591e201a13f93bea00fd.tar.gz